You can now use the upstream publish date in Cloudsmith policies for Python, NuGet, Docker, Ruby, Go, Rust (Cargo), Conda, and Maven packages, expanding on the npm support 

. This enables you to define policies that automatically quarantine new packages for a specific time period (e.g., three days) after release.

Implementing policies that delay package usage is an effective safeguard against zero-day attacks. Enforcing a time lag before consuming a new package version gives the community time to discover vulnerabilities and allows intelligence feeds to update.

When used alongside a Cloudsmith policy that blocks known malicious packages, this "soak period" ensures a robust defense for your software supply chain.

For more information on how we source publish date metadata for each format, 

Package publish date is now available for npm, Python, NuGet, Docker, Ruby, Go, Rust, Conda, and Maven

. Policy as code is an early access feature; 

Upstream publish date added for additional formats

 to sunset our old documentation website. That plan remains on track, and we expect to retire and redirect our old docs in April 2026. 

This month we're adding a significant new capability to 

 within the context of our docs; learning about available endpoints and their parameters, then trying them out for yourself with an API key. By showing you the exact type and shape of response data from our API, the sandbox will help you onboard to Cloudsmith faster, and speed up the development of your own custom integrations with the platform. 

We're excited to see what customers do with the new API sandbox. We'll continue to improve it each month, so if you have any comments or feedback, please 

API sandbox added to our documentation website

We’ve added support for generic upstreams to the 

. This update allows customers to automate the proxying and caching of any file-based asset - such as raw binaries or scripts - directly via Infrastructure as Code.

 resource, you can integrate external file sources into your supply chain with consistent, repeatable configurations.

 for more details on the new generic format and upstreams.

Manage generic upstreams via the Cloudsmith Terraform provider

. This brings our automated exports into parity with the Cloudsmith UI and manual CSV downloads, giving you deeper visibility into your package delivery performance.

For teams managing high-traffic repositories or optimizing CI/CD pipelines, understanding cache performance is vital. This update ensures your external logging and observability tools have the same level of granularity as the Cloudsmith web app.

 Identifies whether a package was served from an existing cache (

 This field is now live and included in the JSON payload. As a standard JSON addition, this is a non-breaking change for downstream consumers.

 To prevent breaking existing automated workflows, we are releasing the CSV update separately. We are currently coordinating with customers who utilize our larger CSV delivery format to ensure a smooth transition.

New field: Cache hit / miss data added to client log exports

 offers a flexible way to upload and manage any file or binary within Cloudsmith. This release includes 

, enabling teams to fetch assets from external sources that don’t fit into standard package ecosystems.

This brings your custom scripts, installers, and zipped binaries into your managed supply chain, automating ingestion and ensuring that your internal URLs remain consistent with upstream sources.

The Generic format is designed for artifacts that rely on specific file paths rather than semantic versions. By using the filepath as the unique identifier, this format allows you to mirror the exact directory structures of external sources (like a raw Apache file server or a Gradle distribution) directly within Cloudsmith.

 Use filepaths as unique identifiers to replicate upstream directory structures exactly as they exist at the source.

Proxy & cache from upstream repositories:

 Securely fetch and cache files from external sources, creating a more secure and reliable internal supply chain.

 We merge local packages and cached upstream files into a single, browsable HTML index.

 Prevent file collisions between multiple upstreams by assigning unique path prefixes (e.g., gradle_distributions/) to keep assets distinct.

The Generic format connects to a wide variety of sources via three primary methods:

 Connects to any simple, unstyled HTML directory (no JavaScript) to index and download files. Works out-of-the-box for sources like 

 We offer specialized handlers for specific ecosystems, including 

 that use JavaScript rendering, we support integration via their APIs. 

Note: Due to the variability of these environments, these upstreams require a dedicated configuration. Please contact us to help set this up.

. You can begin using it today by creating a new repository and selecting "Generic" as the format type for upload.

 for additional instructions, and please 

 with any questions or feedback as we continue to refine the format.

Mirror external file structures and secure your binaries with the new Generic format

Builds are now faster with support for parallel artifact uploads during 

Maven 3.9.12 enabled parallel deployment by default, which previously caused a race condition resulting in incomplete packages or synchronization errors. We updated our platform to support these concurrent requests, ensuring stability and reducing total build times.

This update is active for all customers using Maven 3.9.12 or later. No configuration changes are required.

Support for Maven parallel deployment

Public Broadcasts make it easier than ever to deliver software to your end users through a branded, trustworthy, and developer-friendly distribution experience.

Broadcasts allow you to distribute artifacts directly from your Cloudsmith repositories using a polished, customizable user interface that reflects your brand, integrates with native developer tooling, and provides visibility into how your software is being adopted.

 Present your software through an interface that matches your company’s identity. Use your logo, colors, and a custom domain to ensure end users experience a familiar, professional interface when deciding to install your software.

 Eliminate the guesswork from distribution. Gain real-time insights into which versions are being downloaded and how adoption trends change over time.

 Broadcasts integrate seamlessly with native developer tooling, allowing users to fetch packages via their preferred CLI or CI/CD tools—no friction, no workarounds.

 Turn any existing Cloudsmith repository into a professional public distribution portal in seconds. No need to build, host, or maintain custom download pages.

Since the initial Early Access release, we’ve added several features to further refine the distribution experience:

, including architecture and distribution information, is now available on Broadcasts.

 with improved installation documentation to help users get started faster.

, making it easier to share open-source projects and artifacts.

 to start broadcasting today from any existing Cloudsmith repository. 

Public Broadcasts are now generally available

Cloudsmith now provides a reference implementation guide for Amazon SageMaker. This resource demonstrates how to utilize Cloudsmith as a secure, central hub for the Hugging Face models, Docker images, and Python packages required for machine learning workflows.

AI/ML supply chains are often fragmented; relying on unmanaged public sources for models and dependencies introduces security risks and build instability. This guide provides a blueprint for moving ML artifacts into a private, governed environment without disrupting the SageMaker development experience.

This release provides a reusable set of instructions and scripts designed to be embedded directly into your existing SageMaker workflows.

 Use Cloudsmith to proxy and cache Hugging Face models, ensuring consistent availability for SageMaker training jobs.

 Consolidate Python packages and Docker containers within Cloudsmith to create a single source of truth for SageMaker environments.

 Implementation examples cover how to configure SageMaker to authenticate and fetch artifacts securely during execution.

The implementation guide and code samples are available in our public repository:

For detailed setup instructions, refer to the

Secure ML workflows with Cloudsmith and Amazon SageMaker

 runtime and updates default OIDC audience claims to align with modern security standards.

This is a major version release to prevent breaking changes for users pinned to 

. While core CLI functionality remains unchanged, environment requirements and OIDC defaults have been updated to ensure long-term compatibility and improved security.

 GitHub automatically provides the necessary runtime; no user intervention is required.

 You must ensure Node 24+ is installed on your environment to run 

 Support for Node 20 is now deprecated in this major version. We will continue to maintain 

 until the Node 20 End-of-Life (EOL) scheduled in 

 input has been updated to provide organization-specific audience claims, increasing the security of the OIDC exchange.

f your existing OIDC trust configuration relies on the legacy 

 claim, you must either update your validation logic within Cloudsmith or explicitly set 

oidc-audience: 'api://AzureADTokenExchange'

 in your workflow YAML to maintain current behavior.

For a detailed list of all technical commits and specific file changes, please refer to the 

CLI GitHub Action v2.0.0

A crucial part of effective package management is package distribution. Whether you are dealing with distributed teams or deploying global applications, you need efficient, reliable delivery - anywhere in the world.

To support this, we are continuing to expand our global footprint and are now live in Tokyo.

: We have upgraded our edge infrastructure in APAC. Unlike standard CDNs, Cloudsmith’s PDN is context-aware and optimized specifically for software artifacts.

: Users and build pipelines in Asia will experience faster throughput.

: We now handle authentication logic directly at the Tokyo edge node. This significantly reduces round-trip times for "chatty" protocols (like Maven, NuGet, or Docker) by validating credentials locally rather than routing back to the origin.

: For organizations with strict data residency requirements, you can now explicitly select Tokyo as your storage region. This ensures your data rests physically within Japan, satisfying local compliance needs.

The Tokyo region is available when creating a new repository, and all customers will automatically experience the performance benefits of our expanded PDN.

Cloudsmith Changelog